CosmicEnergy Malware Emerges, Capable of Electric Grid Shutdown

  /     /     /  
Publicated : 23/11/2024   Category : security


CosmicEnergy Malware Emerges, Capable of Electric Grid Shutdown


Russian code that could tamper with industrial machines and toggle RTUs on and off was floating around VirusTotal for years before being noticed. It raises new questions about the state of OT security.



A Russian software capable of shutting off (or on) industrial machinery, with parallels to some of the worlds most dangerous industrial malware, has been spotted publicly idling on VirusTotal (VT).
Researchers from Mandiant spotted CosmicEnergy recently, noting that it had been uploaded by a Russian user back in December 2021. The mystery only deepened with one particular comment in the code — evidence that the tool may have been designed for a
power disruption red-team exercise
hosted by the Russian cybersecurity company Rostelecom-Solar.
We consider it … possible that a different actor — either with or without permission — reused code associated with the cyber-range to develop this malware, the researchers speculated in
a blog post on May 25
.
Far from any ordinary VT sample or red-team tool, CosmicEnergy poses a plausible threat to affected electric grid assets, they explained, thanks to its ability to manipulate a type of industrial control device called a remote terminal unit (RTU).
An RTU is a special type of industrial controller which uses telemetry to interface between industrial machines and their control systems. Its function is relatively simple — receiving data, and passing it on for analysis — but, crucially, its capable of toggling automated industrial processes on and off.
In many ways, CosmicEnergy is modeled after Industroyer —
the first malware designed to take down an electric grid
— particularly
Industroyer’s newest variant
, deployed last year by the Russian advanced persistent threat (APT) Sandworm in an attack against Ukraine. The researchers also likened it to some of the other most devilish programs to ever touch industrial networks, including
Irongate
, Ironcontroller, and
Triton/Trisis
.
To Daniel Kapellmann Zafra, Mandiant analysis manager at Google Cloud, CosmicEnergy demonstrates just how approachable malware designed for kinetic damage can be. Theyve already learned how to do it; that is what makes it very concerning, he says.
Using CosmicEnergy, an attacker could cause power disruption simply by sending a command to trip a power-line switch or circuit breaker. It achieves this with two components.
First, PieHop is a Python-based tool that connects an attacker-controlled MSSQL server with an RTU at a targeted industrial site.
PieHop then uses the second component, Lightwork, a C++-based tool, to take advantage of an RTUs toggling capabilities, modifying the state of the RTU before erasing the executable from the targeted system.
The researchers did note that the sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, but added that we believe these errors can be easily corrected.
From the outside, one might assume that a device in control of sensitive industrial processes would be armed to the teeth with security. But that couldnt be further from the truth.
Most often there is no additional security at this point, Mandiants Kapellmann Zafra says of the RTU, and similar controllers. Its a trend, that the recent types of malware families that weve been seeing in OT are taking advantage of protocols that are open.
RTUs are victim to the insecure by design phenomenon, named and popularized
more than a decade ago
by the industrial security influencer Dale Peterson. The idea, in short, is that industrial machines are often designed to operate in trusted environments, without security in mind, due to age, complexity, and other factors. Often, their features — the very functions detailed in their manuals — could, in a security context, be construed as vulnerabilities.
To anyone used to IT, it will sound backward that, for example, RTUs dont even apply basic encryption to their inbound or outbound data flows. As Kapellmann Zafra explains, when youre working with data from a traditional IT perspective, what you really want to make sure of is that no one can get access to the data. However, in the case of OT security, this data is supporting a process. So what you care the most about is that this piece of data fulfills its purpose, and your process continues operating how it was expected to operate.
In other words, data security is lower on the totem pole than safety and reliability. The priorities from an OT standpoint are different, and based on that we dont implement security controls that might interfere with a cyber-physical process, the researcher says.
Because theres such an openness to these otherwise critical devices, defending against CosmicEnergy — or Industroyer or Triton, for that matter — requires consideration and proactiveness. Its not as simple as having all kinds of different security solutions, Kapellmann Zafra says.
He highlights detection as the key. Because even though we have the rules and IoCs for the malware, what were seeing with these types of implementations is that, oftentimes, you cant just run a rule and expect youre going to find it. You have to keep your eyes open for behaviors that are not expected.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CosmicEnergy Malware Emerges, Capable of Electric Grid Shutdown